Hackers break into Washington Post servers for third time in three years

The Washington Post's servers were penetrated by hackers who accessed employees' user names and password data in a breach that marked the third intrusion in as many years, the paper reported.

Security personnel still don't know the full extent of the loss, an article published Wednesday said. The intrusion was discovered by outside security consultant Mandiant, which reported it to Washington Post officials Wednesday. Compromised data includes employees' user names and passwords that were "stored in encrypted form," which typically means as a cryptographic hash. Post officials, working under the assumption that a fair percentage of hashed passwords can be cracked, planned to direct all employees to change their passwords.

There's no evidence yet that subscriber information such as credit card data or home addresses was accessed. There was also no immediate sign that hackers had accessed the paper's publishing system, employee e-mail databases, or sensitive personal information belonging to workers. Wednesday's article cited a Washington Post official as saying investigators believe the intrusion lasted at most a few days.

Large international news organizations have become a common hacking target in recent years. Early this year, the New York Times said China-based attackers persistently intruded on its internal servers for four months straight. In the process, they obtained password data for all of its reporters and other employees. The Wall Street Journal suffered its own intrusion around the same time. And in February, KrebsonSecurity reporter Brian Krebs uncovered an attack on Washington Post systems, also by suspected hackers from China. The NYT, Washington Post, Associated Press, and other news organizations have also been successfully targeted in other hacks, including a string of them by a group calling itself the Syrian Electronic Army.

The more recent attack on The Washington Post began with an intrusion into a server used by the paper's foreign staff and eventually spread to other company servers.

It'd be interesting to know why the Washington Post is such a frequent target though? Can't be the Snowden files (that's The Guardian), so what are they sitting on that's prompting this "special" attention?

How many times does this have to happen before the Washington Post hires someone actually good at security?

When your opponent is a nation state, or can simply out-budget you, there's no such thing as 'adequate security'.

I think the fair question, which is not answered here, is whether they learned something and implemented improvements after each intrusion. If they got caught basically the same way repeatedly, that's damning. But if they got caught by attackers using a series of new zero days, that really just says they are an attractive target.

That said, if newspapers are going to be a major target, they need to step up their security game.

"Compromised data includes employees' user names and passwords that were "stored in encrypted form," which typically means as a cryptographic hash."

Encrypted data is the original data in a different form, modified so as to hide its contents.A hash of data is a value that is computed using the original data as an input to the computation.

Encrypted data can be reverted back to the original data, hashing cannot.

(very basic) examples:Encryption, move each letter in a message up by one, so "ABC", becomes "BCD". In practice, extra random data is added to make it harder, and there are many more steps that make it much harder to figure out the source data with the "key" data, which can be used to reverse the encryption.

Hashing, pick a value for each letter, then add them all together, so for "ABC", let A = 1, B = 2, and C = 3. Then you have 1 + 2 + 3 = 6. "CBA" produces the same hash, as does "BD", if D = 4. With hashing, you cannot reverse the values with the hash alone. The best you can do is compute many values, and compare the hash to those computed values. If one matches, there is a chance that it could be the data, but the larger the original data set, it becomes exponentially more unlikely that you will guess a match.

As a guide, when storing information that MUST be retrieved (name, address) to actually show it to someone, encrypt that data. When you only need the value to compare it to something else (eg, password) but it never needs to be shown, then hash it, save that hash, and compare the hash values each time.

That said, if newspapers are going to be a major target, they need to step up their security game.

This would be a great opportunity for US Cyber Command (the other agency that DirNSA oversees) to do some good by extending security assistance and expertise to the private sector. The Washington Post, like many other newspaper/news organisations, has struggled financially. However, that the WaPo would accept any help from the government is doubtful, given the massive loss of trust in, and public cynicism towards, US intelligence agencies.

How many times does this have to happen before the Washington Post hires someone actually good at security?

When your opponent is a nation state, or can simply out-budget you, there's no such thing as 'adequate security'.

I just don't get why it's the Washington Post. They don't have anything of value. They're the Fox News of print "journalism." If it were the Guardian or The New York Times, they'd have a point.

You're thinking about the Washington Times, not the post... and the Post is one of the papers that Snowden leaked to - http://en.wikipedia.org/wiki/Edward_Snowden - scroll down to the publication section. The Post has been called a lot of things - a tool of the right isn't one of them.

How many times does this have to happen before the Washington Post hires someone actually good at security?

When your opponent is a nation state, or can simply out-budget you, there's no such thing as 'adequate security'.

I just don't get why it's the Washington Post. They don't have anything of value. They're the Fox News of print "journalism." If it were the Guardian or The New York Times, they'd have a point.

You're thinking about the Washington Times, not the post... and the Post is one of the papers that Snowden leaked to - http://en.wikipedia.org/wiki/Edward_Snowden - scroll down to the publication section. The Post has been called a lot of things - a tool of the right isn't one of them.

Ah, thank you for the correction. You're right. I was thinking of the other publication.

When are we going to stop calling them hackers and start calling them the NSA?

When are people going to realize that the NSA is only doing a tiny portion of the hacking that is going on. It is notable that Snowden only released info on hacking by the US and their close allies despite counter intelligence being a major duty of the NSA. He wasn't interested in exposing the secrets of anyone else but the US and their allies. That doesn't invalidate what he released or mean we should ignore it, but I think there is likely more to Snowden's story than pure altruism.

I'd bet it is another nation hacking The Post to retrieve Snowden's cache in order to learn what NSA's capabilities are and how to exploit it.

It's hard to imagine the NSA hacking The Post with all the bad publicity it would be sure to bring. And they've shown themselves to be more competent than this.

It's also pretty hard to imagine the Post wouldn't have the Snowden files on an airgapped machine.

Ideally, they'd be stored on an airgapped CD. Then it cannot be remotely modified, even if a hacker was putzing around the system when the data happened to be online as well, and there's zero chance of hackers obtaining the data remotely if it's not actively being worked on (preferably in an airgapped machine). Airgapping is a great measure, but Stuxnet proved it's not the be-all end-all of security.

When are we going to stop calling them hackers and start calling them the NSA?

When are people going to realize that the NSA is only doing a tiny portion of the hacking that is going on. It is notable that Snowden only released info on hacking by the US and their close allies despite counter intelligence being a major duty of the NSA. He wasn't interested in exposing the secrets of anyone else but the US and their allies. That doesn't invalidate what he released or mean we should ignore it, but I think there is likely more to Snowden's story than pure altruism.

Considering that half the leaks aren't even about how they affect US Citizens (despite him claiming originally as the only reason for the leaks) I think you are correct. However, the stigmatism to say anything other than "Snowden is a patriot" is so huge that suggesting something more convulted than the simple "for freedom" excuse is frowned upon.

I'm not sure how any firm in the US can be upset at being hacked by a foreign entity in light of the recent revelations about NSA hacking.

It appears the actions of the Chinese (government sponsored?) hackers is in line with current US policy.

Because being based in the U.S., means you automatically agree with all of the actions taken by the NSA, amirite?

Guilty by geographical boundaries? Are you fucking serious?

Pretty much, look it wasn't until the NSA got outed that the big internet companies started taking their internal network security as well as their customers security seriously. These NSL's and the stupid FISA star chamber courts are the cause of this. These companies supposedly have no choice but to cooperate.

Because of these documents, these large corporations are taking a revenue blood bath internationally, and that is affecting their bottom line. Investors take the bottom line and price per share really seriously.

When are we going to stop calling them hackers and start calling them the NSA?

When are people going to realize that the NSA is only doing a tiny portion of the hacking that is going on. It is notable that Snowden only released info on hacking by the US and their close allies despite counter intelligence being a major duty of the NSA. He wasn't interested in exposing the secrets of anyone else but the US and their allies. That doesn't invalidate what he released or mean we should ignore it, but I think there is likely more to Snowden's story than pure altruism.

Considering that half the leaks aren't even about how they affect US Citizens (despite him claiming originally as the only reason for the leaks) I think you are correct. However, the stigmatism to say anything other than "Snowden is a patriot" is so huge that suggesting something more convulted than the simple "for freedom" excuse is frowned upon.

What else other than a patriot is Snowden? Is he a traitor?

Why then did actual Government employees not do this? Their oath is to uphold the constitution, not the government. Clearly the constitution was and still is being violated.

“I, [name], do solemnly swear (or affirm) that I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same; that I take this obligation freely, without any mental reservation or purpose of evasion; and that I will well and faithfully discharge the duties of the office on which I am about to enter. So help me God.” 5 U.S.C. §3331

I'm not sure how any firm in the US can be upset at being hacked by a foreign entity in light of the recent revelations about NSA hacking.

It appears the actions of the Chinese (government sponsored?) hackers is in line with current US policy.

Because being based in the U.S., means you automatically agree with all of the actions taken by the NSA, amirite?

Guilty by geographical boundaries? Are you fucking serious?

Pretty much, look it wasn't until the NSA got outed that the big internet companies started taking their internal network security as well as their customers security seriously. These NSL's and the stupid FISA star chamber courts are the cause of this. These companies supposedly have no choice but to cooperate.

Because of these documents, these large corporations are taking a revenue blood bath internationally, and that is affecting their bottom line. Investors take the bottom line and price per share really seriously.

So The Washington Post can't be upset by these hacks because of what the NSA is doing? Because that's what the OP said.

When are we going to stop calling them hackers and start calling them the NSA?

When are people going to realize that the NSA is only doing a tiny portion of the hacking that is going on. It is notable that Snowden only released info on hacking by the US and their close allies despite counter intelligence being a major duty of the NSA. He wasn't interested in exposing the secrets of anyone else but the US and their allies. That doesn't invalidate what he released or mean we should ignore it, but I think there is likely more to Snowden's story than pure altruism.

He obviously was only able to leak information he had. I suspect he would have leaked information regarding Russia and China's surveillance programs, if he had any. But it's moot, because he didn't. It appears you are condemning him for a lack of omniscience. That is a tough standard.

When are we going to stop calling them hackers and start calling them the NSA?

When are people going to realize that the NSA is only doing a tiny portion of the hacking that is going on. It is notable that Snowden only released info on hacking by the US and their close allies despite counter intelligence being a major duty of the NSA. He wasn't interested in exposing the secrets of anyone else but the US and their allies. That doesn't invalidate what he released or mean we should ignore it, but I think there is likely more to Snowden's story than pure altruism.

He obviously was only able to leak information he had. I suspect he would have leaked information regarding Russia and China's surveillance programs, if he had any. But it's moot, because he didn't. It appears you are condemning him for a lack of omniscience. That is a tough standard.

He went to great efforts to gather specific information. He got others to give him passwords in order to access much, if not most, of what he leaked.

Data is compartmentalized, and if I understand what he did at the NSA, you are correct that he wouldn't have had need to have information on what America's enemies were doing. It sounds like he was helping to provide tools to the analysts.

That doesn't match up with his claims that he personally had access to basically anyone's personal data, and it seems likely that he could have gained access to information about other foreign intelligence efforts in the same way that he gathered much of his info.

Some other things like his fleeing to China, and then to Russia add to my suspicions that he was particularly focused on the efforts of the US and its allies rather than spying in general. That might be simply because he expected more from the US.

I don't know his motives, but for whatever reason his actions went beyond that of a whistle blower. He's not going to get, nor should he get amnesty for all of his actions, and amnesty for just some of them doesn't do him much good. Maybe he's a hero and a criminal at the same time, but he's still a criminal.

Hopefully some good comes from what he has done, and maybe he can be happy with a nice, quiet life while keeping out of the reach of those countries who's laws he violated and whose faith in him he betrayed.

If he tries exposing the same kind of actions in the countries that will harbor him now, they will likely kill him, of lock him in some place that will make him long to be sent to a US prison.

I'm not sure how any firm in the US can be upset at being hacked by a foreign entity in light of the recent revelations about NSA hacking.

It appears the actions of the Chinese (government sponsored?) hackers is in line with current US policy.

Because being based in the U.S., means you automatically agree with all of the actions taken by the NSA, amirite?

Guilty by geographical boundaries? Are you fucking serious?

Pretty much, look it wasn't until the NSA got outed that the big internet companies started taking their internal network security as well as their customers security seriously. These NSL's and the stupid FISA star chamber courts are the cause of this. These companies supposedly have no choice but to cooperate.

Because of these documents, these large corporations are taking a revenue blood bath internationally, and that is affecting their bottom line. Investors take the bottom line and price per share really seriously.

So The Washington Post can't be upset by these hacks because of what the NSA is doing? Because that's what the OP said.

I'm not saying that the WP shouldn't be upset, What I'm saying is that until Snowden, alot of companies were rolling over to the US Govt and not taking data protection and security seriously. Now Google, MS and others who have international networks are looking at serious encryption of their networks, when once they were clear text. Internal network security is being boosted as well. MS is looking at even doing VPN's between internal server farms in the same building and within the US itself. If a company cannot be trusted with its clients data, it won't have clients for very long.

Clearly after three successful hacks in three years, WP is still not doing something properly. Unlike the hacks on Adobe and others who are looking for passwords to get financial data, the hacks on WP and other newspapers are either political or three letter agency (domestic or foreign you pick).

The fact that hackers could waltz though the newpapers security means that the papers really need to step up and fix these issues. This includes, what I mentioned in a previous post, the papers need to really determine what needs to be accessible to the internet, and as well, they may need to have internal security blocks to limit or prevent access to other portions of their networks.

When are we going to stop calling them hackers and start calling them the NSA?

When are people going to realize that the NSA is only doing a tiny portion of the hacking that is going on. It is notable that Snowden only released info on hacking by the US and their close allies despite counter intelligence being a major duty of the NSA. He wasn't interested in exposing the secrets of anyone else but the US and their allies. That doesn't invalidate what he released or mean we should ignore it, but I think there is likely more to Snowden's story than pure altruism.

Considering that half the leaks aren't even about how they affect US Citizens (despite him claiming originally as the only reason for the leaks) I think you are correct. However, the stigmatism to say anything other than "Snowden is a patriot" is so huge that suggesting something more convulted than the simple "for freedom" excuse is frowned upon.

What else other than a patriot is Snowden? Is he a traitor?

maybe neither or a mix of both? Why does it need to be one or the other? Maybe a guy who did some good and some bad?

I think the leaks about the U.S. surveillance on its citizens was a good thing. I think the leaks regarding spying on other countries was not a good thing. Who knows what else he leaked that the papers feel is too sensitive to release. There has been way too much black and white in regards to snowdens actions